Global Data & Privacy Compliance

CASL | PIPEDA | CAN-SPAM | CaCPA 2018 | GDPR | ePrivacy

Helping organizations manage business risk

Global laws and regulations are part of doing business in this Global, data-oriented economy. The more we use data in marketing & sales, the more privacy issues arise. Regulation is inevitable and businesses cannot afford to ignore them. Yet your organization cannot create policies & procedures for every law out there! How do you develop global data & privacy policies & procedures that meet or beat all laws and regulations?

Our Global Data & Privacy Compliance™ (GDPC) programs allow leaders to sleep better knowing they are intelligently managing Global business risks for the markets they do business in. We can show you how to set up data, privacy and communication practices so they are compliant in all countries while being a single workable process for your staff.

“I sleep better knowing we are compliant.”

Pat Shaw
Former Executive Director, TechConnex

“Compliance to local laws is not optional. We make it our business to understand local laws and comply with them.”

“Thank you for the single-best presentation on this subject (CASL) I’ve seen.”

The withdrawal agreement and data protection

This is an update to our earlier post on Brexit. It discusses the publication of the draft withdrawal agreement, following the UK government's announcement that it has reached a tentative deal with the EU.

As I write it is not at all clear what the next few hours, let alone weeks, will bring and whether Theresa May's withdrawal agreement will survive. However, it's worth setting out what the text does in relation to data protection.

In brief, the withdrawal agreement seeks to ensure that there will be no disruption to data flows between the UK and the EU post Brexit.

The transition period

During the period immediately after the UK leaves the EU on 29th March 2019, but before the treaty governing the future relationship between the EU and the UK comes into force, EU law (including data protection law) will continue to apply to the UK. This is the period which the withdrawal agreement terms the "transition period ", but which the UK calls the "implementation period" (they are in fact the same thing). It's not clear how long the transition period will last. The withdrawal agreement provides for it to be extended to a date which is as yet unknown. This is a helpful addition to the text compared to the version published in March, and removes the potential "cliff edge" the UK was facing at the end of 2020 if the future relationship had not yet been agreed.

During the transition period the UK loses its seat at the table in the European Data Protection Board ("EDPB"). But that doesn't necessarily mean that all the provisions which have a link to the EDPB fall away. So, for example, it's not clear how the one stop shop will work during the transition period. Just because the UK Information Commissioner loses her seat at the table doesn't necessarily mean that the entire one stop shop mechanism simply won't apply to the UK. If that were the case it would undermine the central policy of the transition period, which is to maintain consistency as between the regimes in the UK and the EU. The detail of how all this will work in practice is still very unclear. We may have a better sense once the EU (Withdrawal Agreement) Bill is published.

Future relationship

For the future relationship, the UK is seeking an adequacy decision as the basis for the transfer of data from the EU to the UK. The outline of the political declaration on the future relationship which has been published alongside the draft withdrawal agreement says that the EU will "endeavour" to adopt an adequacy decision in relation to the UK by the end of the transition period. The UK will also be seeking to put in place a mechanism which will ensure a free flow of data from the UK to the EU.

The political declaration on the future relationship also mentions (in vague terms) an intention to have "appropriate cooperation between regulators".

Safety net

Only half of US businesses affected by the California Consumer Privacy Act of 2018 expect to be compliant by the 2020 deadline, according to a PwC survey of more than 300 executives at US companies with revenues of $500 million or more.

The law — CCPA for short — is expected to provide state residents sweeping data-privacy rights that most businesses will only be able to honor by first overhauling their personal data-governance capabilities.

The US retail sector — largely unaffected by last year’s scramble for compliance with the EU’s General Data Protection Regulation — may be particularly challenged in meeting the deadline: less than half (46%) of retail and consumer respondents say they will be compliant by 2020. Confidence in meeting the deadline is similarly lacking in the industrial products (44%) and health (47%) sectors.

Respondents from financial services (58%) and telecommunications, media and technology (TMT) (56%) sectors are relatively more confident about meeting the deadline.

The CCPA mandates a wide range of safeguards to protect the personal data of California consumers and employees. The act significantly broadens the definition of personal data to include a range of individual, or household, identifiers. It defines consumer as a “natural person who is a California resident.”

CCPA’s impact will extend well beyond the Golden State and its 39.5 million residents. More than three quarters of respondents to our survey say they collect personal information on California residents. Many are considering whether to extend CCPA’s rights to all of their US employees and consumers for operational simplicity and long-term readiness for potential federal privacy legislation.

What is personal data?

Understanding whether you are processing personal data is critical to understanding whether the GDPR applies to your activities.

Personal data is information that relates to an identified or identifiable individual.

What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.

If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.

If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.

Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.

When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.

It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller.

Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR.

Information which is truly anonymous is not covered by the GDPR.

If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual.

In brief
What is personal data?

The GDPR applies to the processing of personal data that is:

wholly or partly by automated means; or

the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.

Personal data only includes information relating to natural persons who:

can be identified or who are identifiable, directly from the information in question; or

who can be indirectly identified from that information in combination with other information.

Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.

Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.

If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised.

Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR.

Information about companies or public authorities is not personal data.

However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.

What are identifiers and related factors?

An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals.

A name is perhaps the most common means of identifying someone. However whether any potential identifier actually identifies an individual depends on the context.

A combination of identifiers may be needed to identify an individual.

The GDPR provides a non-exhaustive list of identifiers, including:

name;

identification number; location data; and

an online identifier.

‘Online identifiers’ includes IP addresses and cookie identifiers which may be personal data. Other factors can identify an individual.

Can we identify an individual directly from the information we have?

If, by looking solely at the information you are processing you can distinguish an individual from other individuals, that individual will be identified (or identifiable).

You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual.

If an individual is directly identifiable from the information, this may constitute personal data.

Can we identify an individual indirectly from the information we have (together with other available information)?

It is important to be aware that information you hold may indirectly identify an individual and therefore could constitute personal data.

Even if you may need additional information to be able to identify someone, they may still be identifiable.

That additional information may be information you already hold, or it may be information that you need to obtain from another source.

In some circumstances there may be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identifies the individual. However, this is not necessarily sufficient to make the individual identifiable in terms of GDPR. You must consider all the factors at stake.

When considering whether individuals can be identified, you may have to assess the means that could be used by an interested and sufficiently determined person.

You have a continuing obligation to consider whether the likelihood of identification has changed over time (for example as a result of technological developments).

What is the meaning of ‘relates to’?

Information must ‘relate to’ the identifiable individual to be personal data.

This means that it does more than simply identifying them – it must concern the individual in some way.

To decide whether or not data relates to an individual, you may need to consider: the content of the data – is it directly about the individual or their activities?; the purpose you will process the data for; and

the results of or effects on the individual from processing the data.

Data can reference an identifiable individual and not be personal data about that individual, as the information does not relate to them.

There will be circumstances where it may be difficult to determine whether data is personal data. If this is the case, as a matter of good practice, you should treat the information with care, ensure that you have a clear reason for processing the data and, in particular, ensure you hold and dispose of it securely.

Inaccurate information may still be personal data if it relates to an identifiable individual.

What happens when different organisations process the same data for different purposes?

It is possible that although data does not relate to an identifiable individual for one controller, in the hands of another controller it does.

This is particularly the case where, for the purposes of one controller, the identity of the individuals is irrelevant and the data therefore does not relate to them.

However, when used for a different purpose, or in conjunction with additional information available to another controller, the data does relate to the identifiable individual.

It is therefore necessary to consider carefully the purpose for which the controller is using the data in order to decide whether it relates to an individual.